Field of the Invention
The invention relates to a responsive system for signal processing, which for an input signal state generates an unambiguous output signal state; the system has a plurality of data processing units, which communicate with one another via data transmission units, and on which modularly constructed computer programs are implemented. The invention also relates to a method for determining a reliability parameter of a responsive system.
A responsive system, i.e., an error-tolerant and real-time-capable system for signal processing, finds manifold uses in the context of an industrial automation process. Of particular significance is a responsive system in an automation process in which predetermined time limits must be observed, or the production of demanded output signals within predetermined time intervals. Such demands often arise in production processes, closed-loop and open-loop control processes, and monitoring processes. An example is the safety instrumentation and control system of a nuclear power plant. Observing time limits or time intervals depends decisively on the operability of the individual, in particular equipment-specific, components. In the complex system, in which data processing units are connected to one another to make a large data network, errors in individual components, in the presence of an input signal state, can lead to an erroneous output signal state. For existing signal processing systems, a reliability analysis is therefore often performed, on the basis of the input signal states to be taken into account for the system.
Special demands, which are listed in so-called demand and documentation units, are made of a system for signal processing in the safety instrumentation and control system (safety I & C) of a nuclear power plant. In such a unit, a plurality of disjunctive process control segments are combined in terms of safety aspects. Examples of such units are the so-called I & C functions, which indicate a model for signal processing in the safety I & C with a formal documentation hierarchy. For the safety I & C in a pressurized water reactor, the special demands are predetermined by up to 153 different I & C functions. Of particular significance for the safety I & C of a nuclear power plant is knowledge of the availability of individual I & C functions, converted in the system by means of data transmission units, data processing units, and open-loop and closed-loop control units, as well as the availability of certain combinations of I & C functions.
Of particular interest here is the knowledge of how the failure of individual components affects the availability of the I & C responsive system. Possible failures that can be taken into account in ascertaining availability are as follows:
a single sensor (signal detection unit), and hence a single signal, fails; PA0 an input or output component group and hence a group of signals fails; PA0 a computer (data processing unit), which represents a node in the data network, fails; PA0 a communications processor fails; that is, certain signals can neither be sent nor received; and PA0 all the computers in a room or in a building fail, for instance because of a fire.
For determining the availability of a responsive system for signal processing, the system is partially examined, using mathematical analysis methods and taking into account the possible failures of components. Failures can be evaluated by the error tree method, Markov chains, generalized stochastic Petri networks, and so-called renewable processes. The availability of the system can be quantified by an unambiguous reliability parameter; the above methods can be implemented manually only by making conservative simplifications and estimates. Proving the reliability of an interlinked system in the safety I & C is done by determining the reliability of individual representative, sufficiently complex and significant tripping signals, which initiate appropriate safety measures in the event of an accident. One example of such a tripping signal is the signal that is tripped in an accident involving a loss of core coolant, upon a switchover from flooding of the reactor pressure vessel to a cooling mode via the reactor sump. In the reliability analysis, in an existing system or in other words a posteriori, the definitive portion of the signal in which the tripping signal is generated is determined; the hardware contained in it and the associations (interlinkage) of the hardware, such as sensors, data transmission units, data processing units, etc. are determined. The influence of further parts of the system (such as the ventilation system) can be estimated, excluded by definition and optionally represented in simplified form. For the components (hardware) of the definitive part, such as data input units and data output units, data processing units, monitoring units, and voters, the respective interaction and an applicable failure probability are determined (experimentally, theoretically). These failure probabilities are approximately in a range from 1.multidot.10.sup.-7 /h to 1.multidot.10.sup.-4 /h. Error probabilities due to systematic errors that are latent in the computer programs used, the hardware used, data structures provided for joint access to computer programs and/or hardware, and caused by error-causing events (such as fire, etc.), are associated with the failure probabilities. The interlinkage of the components of the definitive part is worked out by mathematical linkage operations and delivered together with the failure probabilities, optionally in a simplified structure, to an evaluation program. Such an evaluation program can for instance be the risk spectrum PSA program made by Recon AB in Sweden, which by the error tree method furnishes a conservative estimate of the unavailability (failure probability) for the corresponding tripping signal. For the tripping signal described as an example above, this unavailability is approximately 1.multidot.10.sup.-3. A reliability parameter ascertained in this way is as a rule overly conservative and only limitedly takes into account the more-detailed structure of the responsive system, and as a result, even a breakdown of the contribution of individual components to the unavailability is possible only in broad strokes.