Electrical and electronic protective systems for installations are generally known. For example, laid-open specification DE 33 09 431 A1 discloses a protective system for a turbine set, whose rapid closure or bypass valves are equipped with electro-hydraulic actuating and switching drives. The drives have means for reception of electrical drive signals, by which means valves or other actuating members of a turbine set are operated. The drive signals are in this case generated by an appliance system which is a part of the electrical protective system, possibly with the interposition of an amplifier. In order to increase the availability, the appliance system comprises two identical programmable logic central units, each having an input/output peripheral. Depending on the requirement, the inputs/outputs may have a single channel, or two channels, for redundancy reasons. The two internal bus systems of the appliances are continuously monitored for non-equivalence by means of fail-safe comparator assemblies. If they are not equivalent, a system fault is present, which switches off the drive for the safety fittings of the installation, thus protecting it.
During operation of the turbine set, the inputs are recorded operating parameters which can in this case be subdivided into two groups, on the one hand into highly time-critical protective criteria, and on the other hand into less time-critical protective criteria. In this case, one protective circuit is provided for each of the protective criteria in the protective system.
The highly time-critical protective criteria are those which require a spontaneous reaction or a reaction as quickly as possible, that is to say shut-down, if their measured values are outside a permissible range. These criteria include, for example, the rotation speed of the turbine set, the generator block protection and the compressor surge monitoring. For these stated criteria, a reaction should take place within a maximum of 50 milliseconds after the occurrence of the defect. In other words, operating states which endanger the installation should be identified by the protective system after their occurrence and should reliably lead, within 50 milliseconds, to quick shut-down of the installation, initiated by the protective system. This process is also referred to as tripping.
Less time-critical protective criteria include operating parameters whose faults allow longer reaction times. Examples of less time-critical protective criteria are the bearing oil pressure, the turbine temperature protection, the bearing vibration and the bearing temperature. Reaction times of considerably more than 50 milliseconds are acceptable in this case.
In order to comply with the short reaction times of a maximum of 50 milliseconds, specific programmable logic automation systems have until now been used as appliance systems. These have the capability for interrupt processing of signals. This interrupt processing was intended for highly time-critical protective criteria, that is to say highly critical operating parameters relating to the installation. Interrupt processing made it possible to ensure the required reaction times since the signals relating to the highly time-critical protective criteria could be in this way processed with preference (with priority) by the automation system. The endlessly executed commands in the internally stored program procedure in the automation system were therefore interrupted in real time after the occurrence of an interrupt signal. In consequence, it was possible to implement the highly time-critical turbine protection circuits by means of an automation system such as this without having to interpose further control components between the automation system and the actuating members and/or their electrical drive.
More recent subsequent systems, which are now available on the market, of automation systems now no longer offer the capability for interrupt processing of highly critical operating parameters. These highly time-critical protective criteria can therefore no longer be processed with priority when using an automation system such as this, but only when the internally stored program procedure provides for this to be done in the programmable logic automation system. When using automation systems without interrupts, the required reaction times for protection of the turbine set can now no longer be complied with any guarantee, which means that interrupt-free automation systems appear to be unsuitable for use in protective systems of the type mentioned above.
Instead of using programmable logic fail-safe automation systems, it is also known for fail-safe protection circuits to be designed for highly time-critical and less time-critical protective criteria by means of pure relay assemblies. The relay assemblies are electrical circuits in which a multiplicity of relays are connected to one another to form the protection circuit. Although these relay assemblies achieve the required reaction times, they have a low diagnosis coverage level. This means that any faults which occur in the relay assembly or in the circuitry of the relay assembly, such as potential shorts, can be detected only inadequately. As a result of this low diagnosis coverage level of relay assemblies, they must be checked for serviceability by repeated tests, which have to be carried out manually. The testing is normally the responsibility of the power station operator of the turbine set, and, furthermore, this can be carried out only with the turbine set shut down. The repeated manual tests therefore represent more stringent requirements relating to the care and specialist knowledge of the power station operators, with the requirements for repeated testing further exacerbating the acceptance, which is already low in any case, for the use of relay assemblies. Furthermore, entirely untested relay assemblies have a comparatively high failure probability which can lead to machine damage and consequential damage when they have to be used (for quick shut-down) with the turbine set.