1. Field of the Invention
This invention is directed to systems used to provide automatic responses to abnormal conditions in complex processes such as nuclear reactors, and to apparatus for testing such systems. More particularly, it is directed to means for reliably testing such systems for both normally energized and normally deenergized response devices without interrupting system response to abnormal conditions and despite large variations in energizing voltage.
2. Prior Art
Protection systems for complex processes monitor selected process parameters, such as temperatures, pressures and flows, and the status of various components such as whether a valve is open or closed or whether a pump is on or off, and provide automatic responses to measured values of the parameters and to detected status states of the components which require positive intervention to prevent, or to alleviate the effects of, abnormal process conditions. High reliability is an essential requirement for such a system. In order to enhance reliability, it is common practice to provide redundant sensors for each selected parameter and component status. It is also common practice to vote the responses of the redundant sensors, that is to require that a plurality, but not necessarily all, of the sensors, detect the abnormal condition before action is initiated, in order to reduce the probability of a spurious actuation.
A nuclear power plant is one example of a complex process in which such a protection system is employed. The protection system in a nuclear power plant performs a plurality of functions. It can shutdown, or trip, the reactor if conditions warrant, or it can perform a number of engineered safeguard functions, such as opening or closing valves and turning on or off pumps or other components. Typically, the trip function involves deenergizing electro-mechanical jacks which normally hold control rods in a position withdrawn from the reactor core so that the rods reenter the core and cause it to go subcritical. The engineered safeguard functions may involve either deenergizing a load device which is normally energized or energizing a device which is normally deenergized. In a typical engineered safeguard function system, four redundant sensors are used to detect the selected parameters and/or status conditions. The response of each sensor is compared with a setpoint value to generate a digital signal which is referred to as a partial actuation signal since an indication from more than one sensor is required to actuate the safety component. The four partial actuation signals for each parameter or status condition are all fed to each of two identical, electrically isolated logic trains. Typically, this is accomplished by applying each partial actuation signal to the coil of a relay having one set of contacts in each logic train. Each logic train independently votes the partial actuation signals, such as two out of four, and generates an actuation signal. The two independently generated actuation signals are then applied to a power interface circuit which requires the presence of both actuation signals to actuate the load device, either a normally energized or normally deenergized component, to initiate the engineered safeguard function. Such a two out of two voting power interface can be disabled by a single failure in one of the two channels. In order to provide tolerance to single failures in a logic train or switching device, the systems described in the related applications referred to above propose the use of two out of three voting power interfaces.
Regulations require that the switching devices comprising the power interface be tested periodically. At present, these tests are performed manually with the plant remaining on line. To avoid disrupting plant operation, special test procedures and circuits have been employed to permit testing without changing the energization status of the actuated device associated with the interface under test.
In the case of a normally energized load which cannot be deenergized while the plant is in operation, the apparatus and method used are as described in U.S. Pat. No. 3,967,257. This involves connecting a current monitor in series with the switching device under test and connecting in parallel with that combination, a second switching device which is also equipped with a visual current monitor. To perform the test, the second switching device is first "closed" in order to maintain power to the load. The device under test is then exercised while the corresponding current monitor is observed as an indication of its switching state. Normally, deenergized loads which cannot be energized during testing are generally tested by exercising the switching devices using a current which is of sufficient magnitude to be detectable but which is below the actuation current threshold for the actuated device.
The prior art systems for testing power interfaces utilize feedback signals which indicate the presence or absence of current in the various circuit legs or they generate analog or digital representations of current magnitude. One problem with test schemes which rely on reading current magnitude is that the current varies as a function of power supply voltage. In the case of a nominal 120 volt DC system, a voltage swing of 50 volts may occur between a low battery condition (approximately 100 VDC) and a full battery or charging condition (approximately 150 VDC).
A primary object of the subject invention is to provide a testable voted logic protection system and particulary a power interface for such a system which is operative with either normally energized or normally deenergized loads without interrupting the protection function and without a change in circuit topology.
It is another important object of the invention to provide such apparatus which is self-compensating for large variations in power supply voltage.
It is still another important object of the invention to provide such apparatus which generates reliable, one bit digital signals in response to test signals.